1 / 44

Handling Groups and Permissions: Grouper and Signet and uPortal

Handling Groups and Permissions: Grouper and Signet and uPortal. JA-SIG, Vancouver, BC, 06/06/06. Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to Tom Barton, University of Chicago. Identity & Access Management.

thai
Download Presentation

Handling Groups and Permissions: Grouper and Signet and uPortal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Handling Groups and Permissions: Grouper and Signet and uPortal JA-SIG, Vancouver, BC, 06/06/06 Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to Tom Barton, University of Chicago

  2. Identity & Access Management • A person’s privileges are shaped by many Sources of Authority • Institutional policy making bodies • Resource managers • Program/activity heads • Individuals -- friends and self • Management of privileges should be distributed • Hook up all of Sources of Authority to the middleware • Common middleware infrastructure should be operated centrally • Departments/programs/activities/applications should not have to build their own core middleware • Resources should be shared through the infrastructure

  3. Q: Subject + Resource + Action + Context Subject = who or what wants to take an action Resource = what is the action against, e.g., file, building, data, service, etc. Action = what they want to do, e.g., view, modify, enter, approve, run, etc. Context = time of day, academic term, weather, etc. A: Policy interpretation and decision, e.g. Resource and action are available to a group, e.g., Faculty at MIT, Students in a class Available to anyone with “entitlement” for the service Access Control Decision

  4. …by any other name Signet and XACML • Subject • Action • Resource • Context • uPortal Permission • Principal • Activity • Target

  5. Policy based authorization Resource Subject Action Identity Provider Service Provider Subject tries to access resource auth’d Context Provider evaluates required identity attributes against rules for resource Provider grants or denies access Rules Policy

  6. Policy interpretation • Policy can be very simple • In group “uportal-sysadmins” • In role “faculty” or more and more complicated • Faculty in Law School • or designated TAs • or other faculty teaching a Law school course • for courses offered this term • can or cannot submit grades

  7. Groups and Privileges • Two kinds of Subject information are used in making access control decisions • Who you are • aka “groups” or “roles” • cf RBAC • What you can do • aka “privileges” • cf “value-based authority” or “row-based authority” • Both types of information are conveyed through attributes about a person • Grouper and Signet are tools that let you enrich descriptive attributes about people in both ways

  8. Big picture, without Grouper/Signet

  9. Filling the gap CourseWare CS-313 grades Library CompSci resources Allow CS-313 allow CS teaching What about my TAs? … my auditors? … extensions/makeup? External Partner The Professor allow CS affiliates HR Identity Management Affiliation: faculty Instructor: CS-313 SIS Courses Shib

  10. Extending Course infrastructure Library CompSci resources CourseWare CS-313 grades allow CS teaching Allow CS-313 Grouper External Partner allow CS affiliates HR Identity Management Affiliation: faculty Instructor: CS-313 SIS Courses U Class:CS-313:TA = isMemberOf: CS-313 Shib The Professor

  11. Athletic Facilities Black board Printing student, guest staff, guest faculty, staff, student guest Signet Privilege management Identity Management James Billington Affiliations special_collections (manuscripts,view) (king_papers,copy) printing (max100) Marc Crawford athletic (golf_course) facilities (pool,after5) Sib blackboard (music103) music (practice_room) Marin Alsop

  12. uPortal specific permissions uPortal uPortal spon. guest admin Signet Signet Identity Management Affiliation: temp uportal_access(level1) expiration date Dept Admin Sib tab_admin(module3) tab_admin(module8) a long as “staff” Portal Admin

  13. Big picture, without Grouper/Signet

  14. Big picture

  15. Signet & Grouper Overview

  16. Grouper Grouper • Middleware software/toolkit • User access through a common UI • Program access through a common API • Defines a “Groups Registry” • Brings scattered duplicative groups together for re-use • Allows useful actions on these groups -- group math, group nesting, exclusion criteria • Hierarchical name-space (name stems & substems) • Can leverage existing group information • Supports the creation of new groups • By schools, departments, and individuals! • Distributed/delegated model of control

  17. Signet Signet • Middleware software/toolkit • User access through a common UI • Program access through a common API • Brings privilege information together in one place -- a “Privilege Registry” • Central granting, can apply across multiple systems • Central reporting, history, auditing, review • Accessible to managers AND holders of privileges • Independent of specific vendors, systems, releases or technologies • Distributed/delegated model of control

  18. Shared Subject API • Subject - a person, group, application, or other type of object whose identity is managed by your IAM system • Abstract the underlying technology and data model from a relying application • Source Adapters • Identify attributes/columns distinguished as “subjectID”, “name” and “description” • Specify back-end-specific searches for each type and each search method • Select • Search by identifier • Search

  19. Grouper Overview • Mix of manual and automation processes manage a common Groups Registry • Stored in an RDBMS • Automation processes provision info from the Groups Registry into LDAP, AD, directly into application-specific databases, wherever the value of the info warrants spending the resources to place it there • Two types of managed objects: groups and naming stems • Groups are created & named with a naming stem • Group management authority is delegatable • By group or by naming stem

  20. Grouper Groups • Any “subject” can be a group member or privilegee • Persons, groups, site-defined subject types • Uses Subject API developed by Grouper+Signet teams • Subgroups (now), composite groups (v1.0), and aging (v1.1) of groups and memberships • Privileges • ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT • Group attribute set can be site-extended

  21. Naming Stems • Groups are created with naming stems • Limits the authority to create and name groups • Support distinct activities with own authority • Naming stems can be arranged hierarchically eg, uc, uc:nsit, uc:nsit:labs • Privileges • STEM • Create subordinate naming stems • Assign privs for this naming stem • CREATE – create groups with this naming stem

  22. Composite Groups • Membership is defined by composing the memberships of 2 other groups • A = B U C union • A = B  C intersection • A = B – C relative complement • Common use – “tweak” existing groups • Whitelist or blacklist factored in to another group

  23. Example: Computer Cluster Access categories of barred students (auto) time dependent student categories (auto) Allow access if in (nsit:labs:eligible – nsit:labs:barred) nsit:labs:eligible (manual) nsit:labs:barred (manual) nsit:labs:whitelist (manual) nsit:labs:blacklist (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students (auto)

  24. Systems Integration • API • XML Import/Export Tool • Snapshots Groups Registry, including naming stems and privileges • A single group • All subordinate to a specified naming stem • All matching a search condition • Entire Registry

  25. uPortal - Grouper Example: Managing e-Reserves • Task: Some library staff can manage e-Reserves (a group of some 100 members) • Library knows who they are • So let’s delegate management of group to them • Well…

  26. Example: Managing e-Reserves • With uPortal today, privilege to manage groups is on or off for given person • Delegating group management to library staff gives authority over all groups • So instead, a central IT staff person manages e-Reserve group membership

  27. Example: Managing e-Reserves • If uPortal used Grouper • Create a library “stem” • One assignment by central IT staff to a library staff member giving them “stem” privilege over the library stem • They in turn create an e-Reserve group under that stem and manage its membership • And the Grouper UI gives them a good way to do that

  28. uPortal - Grouper Example:Institutional Affiliations • Tabs in UW-Madison’s uPortal install are specific to broad institutional affiliations (read groups) • Student, Faculty, Staff, Advisor,… • But it’s not only the portal that cares about membership in these affiliations • Best to manage them as part of shared infrastructure via Grouper • Loaders from Systems of Record populate the groups (single integration point for them) • uPortal and other apps consume as needed

  29. Reuse of subject info maintained by Grouper & Signet Signet Grouper LMS Library uPortal

  30. Reuse of subject info maintained by Grouper & Signet Signet Grouper LMS Library uPortal

  31. Signet Overview • Analysts define privileges in functional terms and specify associated system-level permissions • Signet presents this functional view in a Web UI where users assign privileges & delegate authority across all areas in which they have authority • Signet internally maps assigned privileges into system-specific terms needed by applications • Privileges are exported, transformed, & provisioned into applications and infrastructure services • Signet provides automated lifecycle controls

  32. Functional view Subsystems Categories Functions Scope, Limits Prerequisites & Conditions System view Permissions Subject Action Resource Privileges Building Blocks

  33. Functional View Subsystems contain… Limits • Qualifiers, constraints for a privilege • Scope • Organizational hierarchy governing distributed delegation • Functions The things a person can do; what they are getting privileges for Categories • Provide useful arrangement of functions within a subsystem; for reporting, ease of use

  34. Functional View Add/Drop students Course Support Student Admin Which term Schedule Classes Which campus Process Applicants For school… Financial Aid Award Scholarships From Fund… Manage Accounts For fund… Patient Records Protocol A Clinical Trial Read/Write Materials Control Qty/day Manage Grant Admin $ constraints Lab Access Hours Categories Subsystems Functions Limits organizing actions

  35. Systems View • Permissions • Atomic units of control that map to specific access rules in systems • Includes limits that must be evaluated when interpreting permissions Resources • The target of a specific privilege; things that have access rules to control their use

  36. Functional View  Permissions Calendar Student Admin reserve_time view_schedules Add/Drop students Course Support Course Schedule Classes update_course_data Facilities reserve_room Process Applicants Financial Aid Financial Award Scholarships view_fund_data update_fund_data Manage Accounts Student student_records categories functions applicant_data Functional View Resources/Permissions

  37. Systems Integration • Privilege Management Java API • Permissions document • XML representation of privileges for an individual or group • Will be compatible with XACML • For provisioning of privilege data into applications

  38. Privileges Lifecycle Conditions • Provides automatic revocation of privileges • Date controls -- from date, until date • Will be based on person’s status, affiliation, etc. e.g., as long as person is at Stanford Prerequisites • Pre-conditions that must be met to activate privileges e.g., training

  39. Other features Assignments can be • To an individual • To a Group With/without ability to further delegate • Distributed delegation using organizational hierarchy • Records “chain of command” Proxy assignment • Temporary granting of one’s privilege to another

  40. Privilege Elements by Example Lifecycle Privilege

  41. Signet & Grouper Roadmaps • Now available • Grouper v0.9. UI & API source release • Signet 1.0. UI, binary release • Subject API v0.1b • Signet Roadmap • v1.1, Summer 2006 – full API source release, rules processor • Grouper Roadmap • v1.0, July 2006 – group math • v1.1, September 2006 – group & membership aging • Subject API • v1.0, ? 2006 – minor changes, updates to reference implementations

  42. Resources & Participation • Grouper • team: University of Chicago & University of Bristol • http://grouper.internet2.edu • Signet • team: Stanford University • http://signet.internet2.edu • Internet2 Middleware Initiative • http://middleware.internet2.edu/ • Documents, software, cvs • Details for subscribing to mailing lists • Conference call agendas & dialing instructions

More Related